Updating key value databases for virtual backups

ABSTRACT

A method, article of manufacture, and apparatus for protecting data. A file modification is identified. A previous file entry is modified where the previous file entry is stored in a key value database. A new file entry is created in the key value database. The previous file entry modification includes modifying the end version of the entry.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of co-pending U.S. patent applicationSer. No. 13/251,186, entitled UPDATING KEY VALUE DATABASES FOR VIRTUALBACKUPS filed Sep. 30, 2011 which is incorporated herein by referencefor all purposes, which is a continuation in part of U.S. patentapplication Ser. No. 13/174,666, now U.S. Pat. No. 8,843,443, entitledEFFICIENT BACKUP OF DATA filed Jun. 30, 2011 which is incorporatedherein by reference for all purposes.

FIELD OF THE INVENTION

This invention relates generally to processing data, and moreparticularly to systems and methods for protecting data.

BACKGROUND OF THE INVENTION

Virtualized computing environments are becoming increasingly popular dueto their efficient use of hardware, ease of IT-management, and reducedoperating costs. As with physical computing environments, data invirtualized computing environments also needs to be protected.

Protecting data in virtualized computing environments presentschallenges that are not encountered in physical computing environments.Conventional methods to protect data in virtual environments typicallyinclude taking an image of a virtual disk and storing the image in aremote location.

However, such methods may take considerable time and resources tocomplete. As the amount of data that needs to be backed up or restoredincreases, the problem of efficiently protecting data is becoming moreprofound.

There is a need, therefore, for an improved method, article ofmanufacture, and apparatus for protecting data.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be readily understood by the followingdetailed description in conjunction with the accompanying drawings,wherein like reference numerals designate like structural elements, andin which:

FIG. 1 illustrates a data system in accordance with some embodiments.

FIG. 2 illustrates a sample VMDK with a Windows file system.

FIG. 3 illustrates three different views of a VMDK in accordance withsome embodiments.

FIG. 4 illustrates a method to protect data in accordance with someembodiments.

FIG. 5 illustrates a method to protect data in accordance with someembodiments.

FIG. 6 illustrates a method to protect data in accordance with someembodiments.

FIG. 7 illustrates a method to protect data in accordance with someembodiments.

FIG. 8 illustrates a method to protect data in accordance with someembodiments.

FIG. 9 illustrates a method to protect data in accordance with someembodiments.

FIG. 10 illustrates a method to protect data in accordance with someembodiments.

FIG. 11 illustrates a method to protect data in accordance with someembodiments.

DETAILED DESCRIPTION

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. While the invention is described inconjunction with such embodiment(s), it should be understood that theinvention is not limited to any one embodiment. On the contrary, thescope of the invention is limited only by the claims and the inventionencompasses numerous alternatives, modifications, and equivalents. Forthe purpose of example, numerous specific details are set forth in thefollowing description in order to provide a thorough understanding ofthe present invention. These details are provided for the purpose ofexample, and the present invention may be practiced according to theclaims without some or all of these specific details. For the purpose ofclarity, technical material that is known in the technical fieldsrelated to the invention has not been described in detail so that thepresent invention is not unnecessarily obscured.

It should be appreciated that the present invention can be implementedin numerous ways, including as a process, an apparatus, a system, adevice, a method, or a computer readable medium such as a computerreadable storage medium or a computer network wherein computer programinstructions are sent over optical or electronic communication links.Applications may take the form of software executing on a generalpurpose computer or be hardwired or hard coded in hardware. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention.

An embodiment of the invention will be described with reference to adata storage system in the form of a storage system configured to storefiles, but it should be understood that the principles of the inventionare not limited to this configuration. Rather, they are applicable toany system capable of storing and handling various types of objects, inanalog, digital, or other form. Although terms such as document, file,object, etc. may be used by way of example, the principles of theinvention are not limited to any particular form of representing andstoring data or other information; rather, they are equally applicableto any object capable of representing information.

FIG. 1 illustrates a data system in accordance with some embodiments.Data system 10 may include one or more virtual environments, asillustrated by Virtual Environments 100 and 108. In some embodiments,Virtual Environment 100 may be a vSphere environment, a product offeredby VMWare. A virtual environment may include one or more virtualmachines (VMs) as illustrated by VMs 102. A virtual environment may alsoinclude an ESX server, a product offered by VMWare. A virtualenvironment also includes Physical Resources 106. Physical Resources 106may be local hard disks or remote resources, such as storage areanetworks (SAN) or use a Network File System (NFS) protocol. VMs 102 maybe different operating environments. For example, in some embodiments,VM 102 may be a virtual Windows machine. In some embodiments, VM 102 maybe a virtual Linux machine. Virtual Environment Manager 110 manages oneor more virtual environments. In some embodiments, a virtual environmentmanager may be vCenter, a product offered by VMWare. Data from a virtualenvironment, or a VM, may be backed up to Deduplicated Data Repository114. In some embodiments, Data Domain back products, offered by EMCCorporation, may be used. Backup Engine 112 may be an application toperform or orchestrate backup operations from the virtual environmentsto the deduplicated data repository. In some embodiments, Backup Engine112 may be Networker, a product offered by EMC Corporation.

It should be noted that although FIG. 1 illustrates a certainconfiguration of data system 10, other configurations are possible. Forexample, one of the physical resources of a virtual environment may be adeduplicated data repository. This may be helpful in cases of disasterrecovery, as explained herein. In other words, Physical Resources 106may be Deduplicated Data Repository 114.

By utilizing a virtual environment manager and a deduplicated datarepository, backing up image of virtual images may be made moreefficient. Virtual environment managers, such as vCenter, may takesnapshots of VMs under their supervision. In some embodiments, these areVirtual Machine Disk (VMDK) files. Once the snapshot has been created, abackup engine may begin moving the snapshot to the deduplicated datarepository. Due to the nature of the deduplicated data repository,redundant blocks of data do not need to be transmitted. For example,certain VMWare configuration files, such as .vmx files, rarely change inbetween backups. Since this data is usually the same, there is no needto re-transmit the data on subsequent backups, such as incrementalbackups. Further, since the virtual environment manager created asnapshot of a VM, the backed up image may also be used to start a VMdirectly. In other words, the deduplicated data repository contains aworkable VM. In some embodiments, the backup engine may connect directlyto the ESX server to receive VMDK files and other data required for abackup.

The deduplicated data repository and virtual environment manager alsoallow for efficient incremental backups. In addition to not transmittingredundant data on subsequent backups, the incremental backup may betreated as a whole image, as opposed to only a delta with conventionaltechniques. Virtual environment managers may keep track of which blocks,or data, changed during a time period. In some embodiments, this may bevCenter's Change Block Tracking (CBT) feature. Using this information, abackup engine may only transmit the changed blocks. However, instead ofjust storing the changed blocks, the features of a deduplicated datarepository may be utilized.

Deduplicated data repositories may replicate data efficiently. Sincereplicated data is by definition redundant data, pointers to the sameblock(s) of data are created. Thus, whether a deduplicated datarepository holds one copy of data, two copies of data, or twenty copiesof data, the amount actually stored is almost the same (save the spacerequired for pointers, and other overhead, etc.). Further, since these“duplicate” copies of data are small, it is relatively fast to generatethem (as compared to copying data). This is especially true when thedata set is large. For example, it may take little time to createpointers to a set of data that is 100 GB large, but it will take aconsiderable amount of time and computing resources to create an actualcopy of that 100 GB data. In some embodiments, Data Domain Boost, aproduct offered by EMC Corporation, may be used to efficiently replicatedata in a deduplicated data repository.

Thus, instead of just storing the changed blocks in the deduplicateddata repository, a replicate data set can be created, and the changedblocks can be written to the replicate data set. This results in anindependent full image, not just a delta. Further, the original data setstored in the deduplicated data repository (e.g the original the replicawas based off of) has not been modified, and may still be used forrecovery processes.

FIG. 4 illustrates a method to protect data in accordance with someembodiments. In step 400, a snapshot of a virtual machine is taken. Instep 402, the virtual machine is parsed to determine a header sectionand a file system. In step 404, the virtual machine is indexed based onthe parsing. In step 406, the index is stored in a storage device. Instep 408, the snapshot is stored in a deduplicated data storage device.

A VM may typically include several VMDK files. Once a VM or VMDK hasbeen backed up to a deduplicated data repository, a user may want toretrieve one or more individual files from the backup. Typically, thishas been accomplished by mounting the image, and browsing it as a localfile system for the particular files(s). However, this may be aninefficient way of recovering individual files. For example, if a VMDKfile 10 GB large, but a user only wanted a 1 KB file from it, mountingthe entire VMDK would be a waste resources. Further, the user would haveto wait for a 10 GB image to mount before being able to brose for the 1KB file.

Instead of mounting the VMDK, the enhanced techniques described hereinparse a VMDK to index files in it. A VMDK can be broken down to twosections: A VMDK header, and a file system. The file system has the samelayout as a normal file system under the native operating system. Forexample, if a VMDK included a Windows XP operating system, the filesystem would be same as a normal Windows XP operating system (e.g. NTFSfile system). FIG. 2 illustrates a sample VMDK with a Windows filesystem. VMDK 20 includes two regions: the top is VMDK Header 200. Thelarger bottom is NTFS File System 202.

Since a VMDK header is well defined, it is possible to skip over theVMDK header and go straight to the file system. If the file system is aNTFS file system, the Master File Table (MFT) can be parsed to identifyevery file in the NTFS file system. In some embodiments, this includesreading the MFT and getting file attributes, and for non-resident files,getting an extent list. Resident files are files that reside in the MFT.Non-resident files are files that reside outside the MFT.

In some embodiments, a backup engine parses the full MFT, processes eachfile record in the table, and saves the file information in its databaseor index. When parsing the MFT, the backup engine saves the followinginformation for each file record: File type (e.g. resident vs.non-resident), file record number (used to access the data for aresident file), time stamp, size of file, and a file extent list (usedto access the data for non-resident files). In some embodiments, theindex may be saved in the deduplicated data repository. In someembodiments, the index may be saved on the VM for ease of access. Insome embodiments, the index may be stored locally to the backup engine.By pre-indexing the files during a backup process, a user will be ableto identify individual files after the backup engine has completed thebackup process. Thus, when a user wants to recover an individual file, abackup or recovery engine does not need to mount the entire VMDK to findthe file. Rather, the index may be used to locate where in the VMDK theindividual file resides. Since the deduplicated data repository has afull image of a VMDK file, the backup may also be parsed based on theinformation in the index (e.g. whether the individual file is a residentor nonresident file, and where in the file system the file is, etc.). Insome embodiments, after isolating the part of the VMDK the individualfile resides in, the backup or recovery engine may reconstruct the fileon the deduplicated data repository, or may push it to an ESX server orindividual VMs.

FIG. 6 illustrates a method to protect data in accordance with someembodiments. In step 600, a file to recover is determined. In step 602,an index is looked up to find a file record number associated with thefile. In step 604, constituent blocks are determined based on the filerecord number. In step 606, data is reconstructed from the constituentblocks. In step 608, the data is stored in a storage device. In someembodiments, the constituent blocks may be a subset of a VMDK image. Inother words, the file to recover is stored as part of a VMDK image.

In some embodiments, if a user wanted to recover multiple residentfiles, it may be preferable to recover the whole MFT in memory and thenrecover each file based on file record number. If a user wanted torecover non-resident files, the backup engine may recover the file dataextent list to determine where in the VMDK the files are, and use thededuplicated data repository's replication ability to quickly recoverthe file.

In some embodiments, it may not be preferable to parse the entire MFT.For example, when processing an incremental backup, it may be determinedthat very little data has changed (e.g. CBT identifies only a fewchanged blocks). However, the actually data set may be very large andcontain a large number of files. Accordingly, the MFT may also be verylarge. It may be inefficient to parse the entire MFT when it can beinferred that only a few files have changed based on the CBT. Using theenhanced techniques described herein, it may be preferable to parse onlythe section of the MFT that changed.

FIG. 3 illustrates three different views of a VMDK in accordance withsome embodiments. VMDK View 300 shows a changed block list. The greenblocks illustrate which blocks have changed. The white blocks illustrateblocks that have not changed. VMDK View 302 shows where in the VMDK theMFT resides. The range of the MFT may be determined by parsing the VMDKfrom its previous full backup to determine the start location, and anend location may be calculated based on the number of file records.Since the range of the MFT is known, and the changed block list is known(may be from vCenter), we can combine the two to determine which blocksin the MFT changed. This is illustrated by the red blocks in VMDK 304.Thus, during incremental backups, only the changed section of the MFTneeds to be parsed. The changes may be detected and written to theindex. The new index may be saved as a separate whole index (e.g notjust a delta), or may overwrite the old index. This may result inconsiderable time and resource savings if the MFT is very large and thechange is very small.

FIG. 5 illustrates a method to protect data in accordance with someembodiments. In step 500, changed blocks of a virtual machine aretracked. In step 502, a MFT range of the virtual machine is determined.In step 504, a common region between the changed blocks and MFT range isidentified. In step 506, the common region is parsed to determine a listof changed files. In step 508, the list of changed files is stored in anindex. In some embodiments, the index may include a list of files of thevirtual machine in a previous state (e.g. an earlier version of thebackup).

In some embodiments, the deduplicated data repository is disk based. Adisk may be preferable to tape in some embodiments, such as in the caseof disaster recovery. For example, suppose a VM in a vSphere went down.Assuming the VM had been backed up to the disk based deduplicated datarepository, a user may configure the ESX server via NFS to enable ESXaccess to all data on the repository. In other words, the storage inFIG. 1 may be configured to include the repository. Since the repositoryhas both the configuration files and VMDK files saved with the originalformat during the backup, and each backup is an independent full backup,these backups may be registered with the virtual environment manager (orvCenter) to start a VM immediately on the repository.

Further, if a user did not wish to alter the original backup byperforming operations on it, the replication features of the repositorymay be used to create a copy of the full backup. The copy may then beused to start the VM instead of the original, and all changes madeduring the operation of the VM will be made to the copy. The user maykeep, delete, or migrate the new VM as needed after the VM has beenregistered with the virtual environment manager (vCenter).

FIG. 7 illustrates a method to protect data in accordance with someembodiments. In step 700, a copy of a backup virtual machine is createdon a deduplicated data storage device. In step 702, the copy isregistered with a virtual environment manager. In some embodiments, thevirtual environment manager may be vCenter. In step 704, virtual machineis operated based on the copy. In step 706, the changes made duringoperation of the virtual machine are stored to the copy. In someembodiments, operating the virtual machine includes connecting an ESXserver to the deduplicated data storage device.

In some embodiments, a database may be created for a virtual backup. Thedatabase may be used to assist in keeping track of files in the backup.Suppose a file system has the following structure:

/ (root) C:\ Dir1\ File 1, File 2 Dir2\ D:\ Dir 1 File 1File 1 and File 2 are in the path /C:\Dir1\. There is nothing in/C:\Dir2\, and there is only File 1 in /D:\Dir1. In some embodiments, akey/value database is used. In the above example, a key/value databasemay look like:

Key Value / C / D C:\ Dir1 | Version Info C:\ Dir2 | Version InfoC:\Dir1 File 1 | Version Info | Timestamp Size C:\Dir2 File 2 | VersionInfo | Timestamp Size D:\ Dir1 | Version Info D:\Dir1 File1 | VersionInfo | Timestamp | Size

The “Value” may also include other file attribute information, such asreference flag, data block information (e.g. start block number, totalnumber of blocks in the file, etc.), access control, andresident/non-resident file flag, among others.

FIG. 8 illustrates a method to protect data in accordance with someembodiments. In step 800, files are identified from a master file table.In step 802, a key/value database is generated based on the identifiedfiles, wherein the key includes directory information and the valueincludes file metadata. In step 804, the key/value database is stored ina storage device.

Version info includes information on the freshness of a file. Forexample, suppose during a full virtual backup, the file CONFIG.SYS wasbacked up. An entry in the database may look like:

CONFIG.SYS | 1 | 0 | t1 | {other metadata}This entry indicates that CONFIG.SYS backed up at time t1 has a startversion 1 and an end version 0. In some embodiments, an end version 0indicates that this entry is the current version. Other numbers orindicators may be used to indicate a current version. Thus, thisCONFIG.SYS is current.

Suppose another backup occurred at time t2, and CONFIG.SYS was notchanged. Since CONFIG.SYS was not changed, the database would not needto be modified. However, if CONFIG.SYS was changed, the database wouldneed to be updated. A database may look like the following in someembodiments:

CONFIG.SYS | 1 | 1 | t1 | {other metadata} CONFIG.SYS | 2 | 0 | t2 |{other metadata}There are now two entries for CONFIG.SYS in the database. The firstentry indicates that at time t1, a version of CONFIG.SYS was backed up,but it is only valid for that version (e.g. obsolete). That is, thestart version and the end versions are both the same (1). The secondentry indicates that at time t2, a version of CONFIG.SYS was backed up,and that this second version is the current version (start version=2,end version=0). If a user was looking to restore CONFIG.SYS and saw thisdatabase, the user would be able to see that the second CONFIG.SYS isthe current version and most likely would choose to restore thisversion. However, in some embodiments, the user may decide to restore anearlier version (e.g. current version may have been infected with avirus, etc.).

FIG. 9 illustrates a method to protect data in accordance with someembodiments. In step 900, a file modification is identified. In step902, a previous file entry is modified, wherein the file entry is storedin a key value database. In step 904, a new file entry is created in thekey value database.

To determine if a file changed, change block tracking (CBT) as describedherein may be used. However, a file does not typically correlate 1:1 toa block. Typically, a block may be used by several files. For example,in some embodiments, the minimum CBT block size is 64 k, and MTF entriesare 1 k each. Thus, a single block may potentially be used by 64different files. If only one file is actually changed, the other 63files may be considered candidates for “modified files” since CBT onlykeeps track of changes on the block level, and the block, as a whole,has changed due to the one modified file.

In order to keep the database accurate (e.g. not report 63 modifiedfiles when they are not actually modified), the timestamps may becompared. Using the above example, suppose at t2, the second backup'sCBT indicated that CONFIG.SYS may have been modified. If the secondCONFIG.SYS's timestamp was the same as the first CONFIG.SYS's timestamp,then CONFIG.SYS did not change between the two backups, and its databaseentry may be updated to reflect the “changed block.” The following dataentry illustrates how an entry may be updated in accordance with someembodiments.

Old record: (start version 1) CONFIG.SYS | Reference Flag 1 | 0 | 1 | t1| {other metadata} Update the record (change reference flag to latestversion) CONFIG.SYS | Reference Flag 2 | 0 | 1 | t1 | {other metadata}Note how there is no new record. This is unlike the case where a file ismodified, which requires updating the old record and creating a newrecord. In this case, the old record is modified to update a referenceflag, but the end version (0), start version (1), and timestamp (t1)remain the same. Thus, when a user chooses to restore CONFIG.SYS, theuser will still only see one entry for CONFIG.SYS in the database, andit will be the start version 1 CONFIG.SYS.

When a file is added after a backup, the MFT will change and the CBTwill notice this change. The file will be compared against the database,which currently does not have an entry for the file, and added to thedatabase. Using the above example, suppose NEW_CONFIG.SYS was createdafter t1 but before t2. At time t2, when the second backup commences,the CBT will indicate a change in a MFT block. One of the files in thechanged MFT block is NEW_CONFIG.SYS. Since the database does not haveany entry for this file, a new entry will be created. In someembodiments, the entry may be:

NEW_CONFIG.SYS | Reference Flag 2 | 0 | 2 | t2 | {other metadata}Thus, NEW_CONFIG.SYS is current (end version 0), has a timestamp of timet2, and its start version is 2.

Deleting a file will also affect the MFT and the CBT will notice thischange. However, since the MFT no longer has a record of the deletedfile, there will be no indication of this file during a subsequentbackup. As discussed above, a “no indication” may mean that a file hasnot changed since the last backup (e.g. CBT did not detect a change,thus MFT did not show a changed file). In order to detect a deletedfile, the previous backup is read to get the file list in CBT. Each filein the modified MFT list is checked for its reference flag. If thereference flag is set to the current version, then the file is present(e.g. not deleted). If the reference flag is not set, then there is noreference in the current backup and the file is not present (e.g.deleted). After determining a file has been deleted, its database entrywould need to be modified. Using the example above, supposeNEW_CONFIG.SYS was deleted at time t3.

NEW_CONFIG.SYS | Reference Flag 3 | 2 | 2 | t2 | {other metadata}Thus, NEW_CONFIG.SYS had a start version of 2 and an end version of 2.Note how there is no new entry in the database—only a modification of apast entry to indicate that the file is no longer current.

FIG. 10 illustrates a method to protect data in accordance with someembodiments. In step 1000, a changed block is received. In step 1002, aprevious backup is read to get a file list in change block tracking. Instep 1004, a file in a modified master file table list is checked for areference flag, wherein the modified master file table list is based onthe changed block. In step 1006, a database entry is modified based onthe reference flag.

FIG. 11 illustrates a method to protect data in accordance with someembodiments. In step 1101, a directory is used to identify keys in a keyvalue database. In step 1102, each key is walked through to identifyvalues. In step 1104, file is identified based on the walk through. Instep 1106, the identified file is restored to a storage device.

For the sake of clarity, the processes and methods herein have beenillustrated with a specific flow, but it should be understood that othersequences may be possible and that some may be performed in parallel,without departing from the spirit of the invention. Additionally, stepsmay be subdivided or combined. As disclosed herein, software written inaccordance with the present invention may be stored in some form ofcomputer-readable medium, such as memory or CD-ROM, or transmitted overa network, and executed by a processor.

All references cited herein are intended to be incorporated byreference. Although the present invention has been described above interms of specific embodiments, it is anticipated that alterations andmodifications to this invention will no doubt become apparent to thoseskilled in the art and may be practiced within the scope and equivalentsof the appended claims. More than one computer may be used, such as byusing multiple computers in a parallel or load-sharing arrangement ordistributing tasks across multiple computers such that, as a whole, theyperform the functions of the components identified herein; i.e. theytake the place of a single computer. Various functions described abovemay be performed by a single process or groups of processes, on a singlecomputer or distributed over several computers. Processes may invokeother processes to handle certain tasks. A single storage device may beused, or several may be used to take the place of a single storagedevice. The disclosed embodiments are illustrative and not restrictive,and the invention is not to be limited to the details given herein.There are many alternative ways of implementing the invention. It istherefore intended that the disclosure and following claims beinterpreted as covering all such alterations and modifications as fallwithin the true spirit and scope of the invention.

What is claimed is:
 1. A method for protecting data, the methodcomprising: identifying, by a processor, a file modification in acurrent backup, wherein the file modification relates to a deletion of afile; determining whether the file was deleted at least in part by:reading a previous backup to get a file list, wherein the file isincluded in the file list; inspecting a reference flag associated withthe file; and determining that the file has been deleted based at leastin part on the reference flag not being set; updating a previousdatabase entry associated with the file and corresponding to theprevious backup stored in a key value database to indicate that the filewas deleted, wherein a key of the file includes directory informationassociated with the file and a value of the file includes file metadata,wherein the file metadata includes a version value that indicateswhether the file is a current version stored in the previous backup or anon-current version stored in the previous backup, wherein updating theprevious database entry associated with the file includes modifying theversion value associated with the file metadata, wherein the modifiedversion value indicates the file is no longer current; and restoring, bythe processor, the file associated with the updated previous databaseentry from the previous backup.
 2. The method as recited in claim 1,wherein modifying the version value associated with the file includesmodifying an end version value of the previous database entry.
 3. Asystem for protecting data, comprising: a processor; and a memory,wherein the memory stores instructions, the instructions are executed bythe processor to: identify a file modification in a current backup,wherein the file modification relates to a deletion of a file; determinewhether the file was deleted at least in part by: read a previous backupto get a file list, wherein the file is included in the file list;inspect a reference flag associated with the file; and determine thatthe file has been deleted based at least in part on the reference flagnot being set; update a previous database entry associated with the fileand corresponding to the previous backup stored in a key value databaseto indicate that the file was deleted, wherein a key of the fileincludes directory information associated with the file and a value ofthe file includes file metadata, wherein the file metadata includes aversion value that indicates whether the file is a current versionstored in the previous backup or a non-current version stored in theprevious backup, wherein updating the previous database entry associatedwith the file includes modifying the version value associated with thefile metadata, wherein the modified version value indicates the file isno longer current; and restore the file associated with the updatedprevious database entry from the previous backup; and a memory coupledto the processor and configured to provide the processor withinstructions.
 4. The system as recited in claim 3, wherein the versionvalue associated with the file is modified at least in part by modifyingan end version value of the previous database entry.
 5. A computerprogram product for protecting data, comprising a non-transitorycomputer readable medium having program instructions embodied thereinfor: identifying a file modification in a current backup, wherein thefile modification relates to a deletion of a file; determining whetherthe file was deleted at least in part by: reading a previous backup toget a file list, wherein the file is included in the file list;inspecting a reference flag associated with the file; and determiningthat the file has been deleted based at least in part on the referenceflag not being set; updating a previous database entry associated withthe file and corresponding to the previous backup stored in a key valuedatabase to indicate that the file was deleted, wherein a key of thefile includes directory information associated with the file and a valueof the file includes file metadata, wherein the file metadata includes aversion value that indicates whether the file is a current versionstored in the previous backup or a non-current version stored in theprevious backup, wherein updating the previous database entry associatedwith the file includes modifying the version value associated with thefile metadata, wherein the modified version value indicates the file isno longer current; and restoring the file associated with the updatedprevious database entry from the previous backup.
 6. The computerprogram product as recited in claim 5, wherein modifying the versionvalue associated with the file modifying an end version value of theprevious database entry.